Yimfoca Worm Spreading in the Wild

January 5, 2011

SonicWALL UTM Research team received reports of a new variant of an IM worm spreading in the wild. It propagates through Instant Messaging application such as Yahoo Messenger, AIM, MSN as well as in Social Networking site- Facebook. There were reportedly multiple rogue Facebook applications that were leading to this worm which are now taken down.

Process of Infection:

An unsuspecting user will receive a message to view a picture purportedly hosted in facebook.com through instant messaging application from an infected machine. A sample of the suspicious message sent via MSN looks like below:

screenshot

Once the user clicks on the link, it will redirect the user to this facebook.com page:

screenshot

This is a legitimate facebook.com page and typical when one clicks on a third-party link from within facebook. However, when the user clicks the continue button, the user will be directed to the malicious website.

A screenshot of the malicious website is shown below:

screenshot

The site is designed to appear that the user is still browsing from within facebook, although the URL shows otherwise. It was also made to appear that the picture the user wants to see was moved and needed to click the "View Photo" button to see it. Clicking the button will download the malicious IM worm.

Installation:

Drops a copy of itself:

  • %Windows% nvsvc32.exe - [ detected as GAV: Yimfoca.AA_3 (Worm) ]

Downloads malware component:

  • C:WINDOWS ndl.dl
  • C:WINDOWSwibrf.jpg
  • C:WINDOWSwiybr.png

Creates Mutex to ensure that only one instance of the application runs in the system:

  • Nvidia Drive Mon

(Note: %Windows% is the Windows folder, which is usually C:Windows or C:WINNT.)

Registry Changes:

It adds the following registry entries to ensure that the dropped copy of the malware starts on every system reboot:

  • Key: [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
    Value: "NVIDIA driver monitor"
    Data: ""c:windows nvsvc32.exe""
  • Key: [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
    Value: "NVIDIA driver monitor"
    Data: ""c:windows nvsvc32.exe""
  • Key: [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun]
    Value: "NVIDIA driver monitor"
    Data: ""c:windows nvsvc32.exe""

Adds following registry entry to bypass firewall restrictions:

  • Key: [HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList]
    Value: "c:windows nvsvc32.exe"
    Data: "c:windows nvsvc32.exe:*:Enabled:NVIDIA driver monitor"

Command & Control (C&C) Server connection:

    Upon successful installation, it tries to connect to a remote server to receive further instruction:
    Remote Server: 75.102.21.13

    This worm will also join the following IRC Channel to receive instruction:

    • #!nn

    The screenshot below shows the IRC communication:

    screenshot

Backdoor Functionality:

  • Spread via instant messaging
  • Update itself
  • Remove itself
  • Download and execute files

Network Activity:

DNS Request

  • 13.21.102.75
  • 18.149.220.66
  • 237.181.44.132
  • ale.pakibili.com
  • api.albertoshistory.info
  • astro.ic.ac.uk
  • insidehighered.com
  • journalofaccountancy.com
  • mas.0730ip.com
  • stayontime.info
  • transnationale.org
  • versatek.com
  • www.shearman.com

FTP Server:

  • ftp.phoenix-cc.net

Propagation:

This worm propagates via following platforms:

    Instant Messaging Application:

    • AIM
    • MSN
    • Yahoo Messenger

    Social Networking site:

    • Facebook

Other System Modification:

Terminates the following services:

  • Microsoft Malware Protection Service - MsMpSvc
  • Windows AutoUpdate Service - wuauserv

SonicWALL Gateway AntiVirus provides protection against this worm via the following signatures:

GAV: Yimfoca.AA_3 (Worm)